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Administratrivia #0 
DISCLAIMER 


This presentation is for informational purposes only. Do not apply the material if 
not explicitly authorized to do so 

■ Reader takes full responsibility whatsoever of applying or experimenting with 
presented material 

■ Authors are fully waived of any claims of direct or indirect damages that might 
arise from applying the material 

■ Information herein represents author own views on the matter and does not 
represent any official position of affiliated body 


■ tldr; 

■ DO NOT TRY THIS AT HOME! 
■ USE AT YOUR OWN RISK! 
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Administratrivia #1 
FEEDBACK SURVEYS 


Please complete the 
Speaker Feedback Surveys 

Thank you (= 
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ATC Today... 


EURECOM 


AIR TRAFFIC CONTROL 




What my mom thinks I do 


What my friends think I do 


What society thinks I do 


* X] 




What I actually do 


What I think I do 


What pilots think I do 




How do radars work without ADS-B? 


Transmitted Signal 

Received Signal 
Rotating Antenna Backscatter 



a 



PSR 


f • 111 

fflmx 

i -L ^ 

N M 


Transmitted Interrogation 


Generated Reply 


Rotating Antenna 




SSR 


SSR Transponder + 
External Antennae + 
Cockpit Control Panel 


Non Co-operative versus Co-operative Independent 

Surveillance 
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SSR transmits basic solicited data 





Transmitted Interrogation 


1 Generated Reply 
Rotating Antenna 




SSR 


SSR Transponder + 
External Antennae + 
Cockpit Control Panel 


■ SSR is solicited type of communication 

■ Solicitation via XPDR 

■ Solicitation via voice VHF 

■ Example of data from SSR XPDR: 

■ Aircraft Address 

■ Altitude 

■ Code (squawk) 

■ Angles (Roll/Track) 
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SSR transponder (XPDR) 

■ XPDR sends so-called squawks 

■ In this example - it squawks code 1200 
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How SSR displays look like? 
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Automatic Dependent Surveillance - Broadcast (CASA. 2006) 


Inputs are not robust enough 

To allow correlation of a FLTID to a flight plan, the FLTID must 
match the Aircraft Identification (ACID) entered in Item 7 of the 
Flight Notification. 

If you enter either of these codes incorrectly, ATC might not 

I be able to see your aircraft, or might confuse it with another. 

You could also affect other systems, like TCAS. The codes 
" are flight critical information, so enter them carefully. 


■ TCAS (Traffic Collision Avoidance System) = very critical component in the air- 
traffic safety 

■ ACID coordinates the harmonized operational deployment of Mode S Elementary 
Surveillance 
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Automatic Dependent Surveillance - Broadcast (CASA. 2006) 


Inputs are not robust enough 


I Don't add any leading zeros, hyphens, dashes or spaces to 

a the FLTID. 


HI, THIS IS 
YOUR SON'S SCHOOL. 
WE'RE HAVING SOME 

Computer trouble. 



OH, DEAR - DID HE 
BREAK SOMETHING? 


IN A WAY- ) 



DID YOU REALLY 
NAME YOUR SON 


i 


Robert'); DROP 

Table SWJents;-- ? 



OH. YES LITTLE 
BOBBY TABLES, 
WECALLHiK- 


WEIL, WEVE LOST THIS 

year's student records. 

I HOPE YOU'RE HAPPY. 



AND I HOPE 
YWVE LEARNED 
TO SWmZE MWR 
DATABASE INPUTS. 
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Garmin GTX32x Avionics Tranponders 


Input mistakes have severe implications 

When making routine code changes, you should avoid inadvertent selection of codes 7500, 7600, 
or 7700 thereby causing momentary false alarms at automated ground facilities. For example when 
switching from code 2700 to code 7200, switch first to 2200 then 7200, NOT to 7700 and then 
7200. 


This procedure applies to nondiscrete code 7500 and all discrete codes in the 7600 and 7700 series 
(i.e., 7600-7677, 7700-7777) which trigger special indicators in automated facilities. Only nondis¬ 
crete code 7500 will be decoded as the hijack code. An aircraft’s transponder code (when available) 
is utilized to enhance the tracking capabilities of the ATC facility, therefore you should not turn the 
GTX 320 to SBY w r hen making routine code changes. 


Important Codes 

• 1200 —The VFR Code for any altitude. 

• 7600 —Loss of Communications. 

• 7500 —Hijacking (Never assigned by ATC with 
her aircraft is subject to unlawful interference). 

• 7700 —Emergency (All secondary surveillance 
times). 


Important Codes 

Following is a list of important codes: 

• 1200 - VFR code m the U.S. (refer to ICAO 
standards for VFR codes in other countries). 

• 7000 - VFR code commonly used in Europe (refer 
to ICAO standards). 

• 7500-Hijack code. 

• 7600 - Loss of communication code. 

• 7700 - Emergency code. 

• 7777 - Military interceptor operations code 

(NEVER SQUAWK THIS CODE). _ 

• 0000 - Code for military use in the U.S. 
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How can ADS-B be exploited? 
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ATC Tomorrow - NextGen, ATC/M and eAircrafts 




RADAR, MULTILATERATION AND DATA 

AIRPORT ABC COMMUNICATION STATIONS ON GROUND AIRPORT XYZ 


FLIGHT VjL VjL LJL 

PHASES 


TERMINAL AREA EN ROUTE EN ROUTE EN ROUTE TERMINAL AREA 

(CONTINENTAL) (HARD TO REACH (CONTINENTAL) 

OR OCEANIC) 
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US GOV ITDashboard - FAAXX704 (ADS-B) 


ADS-B is a $billions world-wide effort from 2006 


FAAXX704: Automatic Dependent Surveillance Broadcast (ADS-B) 


The Surveillance and Broadcast Semces (SBSj proyam office 15 mptemerttmg r • 2CM 2 (CV) Spending 

DeiC'Cflon Auicmaiic Dependent SurveiHance-0roedc*f1 (ADS-B), a surveillance system 1301 52 M 

deigned to prime* improved air traffic mformalion for pilots and a»r traffic contrcffiws ^ :rT , e ((t rrvfcstme** 

ADS ‘ Mo ™ 2006 - 3035 


3tatu» 

Continued 

Major 


EXHIBIT 300 


* Reject * * Current Extort 300 » FY12 Eaton 300 » Contract* * Batelna Changa History » Evaluation Hiftory 


Ull 021-142305975 


Section C: Summary of Funding (Budget Authority for Capital Assets! 

1 . 



Planning Costs 


Sub-Total DME (Including Govt FTE) 
O & M Costs 
O & M Govt PTEs 


Sub Total O & M Costs (Inducting Govt 
FTE) 


Total Cost (Including Govt FTE): 
Total Govt FTE costs 


# of FTE rep by costs 


Total change from pnor year final 
President's Budget (S) 


Total change from pnor year final 
President s Budget (%) 



Table 1C. 1 Summary of Funding 


PY-1 

PY 

CY 

BY 

& 

2011 

2012 

2013 

Prior 




$99 

$00 

$00 

$00 

$7107 

$1798 

$288 0 

$2721 

$286 

$63 

$68 

$45 

S7493 

$1861 

$204 8 

$2766 

$110 

$50 

$64 

$79 

$26 

$03 

$04 

$0 2 

$136 

$5 3 

$68 

$8 1 

$7628 

$1914 

$3016 

$284 7 

$312 

$66 

$7 2 

$47 

202 

38 

38 

24 


$00 
0 00 % 
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RTCA UAT MOPS DO-282A ADS-B 


"unmatched" security, but hey... "Safety-first!" 


Minimum Operational Performance Standards f<jj 
Universal Access Transceiver (UAT) 
Automatic Dependent Surveillance - Broajktist (1ADS-BD 


Adobe Reader 
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Guidance for the Provision of Air Traffic Services Using ADS-B for Airport Surface Surveillance 


How does ADS-B work? - Architectural view 

Guidance for the Provision of Air Traffic Services Usinq ADS-B for Airport Surface Surveillance 


2 . 1.1 


ADS-B Out and ADS-B IN 


GPS 


GLONASS GALILEO 


» m w 

GNSS 1 

/ 


1090ES includes a 56 bit data field 
used to carry ADS-B information 



EXTENDED (112 BIT) SQUITTER 


8 bit 

24 bit 

C/ON 1 ICOI 

\/< \nl>MKSN 


56 bit 

ADS MESSAGE 


EXTENDED SQUITTER 
GROUND STATION 



ADS-B information is 
derived from the onboard 
avionics navigation systems 


TO ATC' 
FACILITY 


ADS-B Out and ADS-B In - Simplified Functional Diagram 
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ICAO/FAA ADS-B Implementation Workshop 


ADS-B-INsideOUT... 


Mode S 

Interrogated data 


Mode A/C 
Mode S 


Altitude 

Code 

Aircraft 

Address 


Elementary and 
Enhanced Mode S 



Flight ID 

Selected Alt TAS 

Mach Number IAS 

Magnetic Heading GS 
Roll Angle VS 

Track Angle 
Track Angle Rate 


ADS-B-Out 

ADS-B-Out 

ADS-B-ln 

Broadcast Data 

V _ 

Broadcast Data 

Received Data 

DO-260-like 

DO-260B 

i ADS-B/CDTI 

Extended 


Applications 

Squitter 

• Position 



• Velocity 

Near Term 

Position 

• Flight ID 

• AIRB 

Velocity 

• SIL/SDA 

• EVApp 

Flight ID 

• Length/Width 

• ITP 


• Mode A code 

• Emerg Code 

• NIC 

• SURF 


• NACp/NACv 

• Geo Altitude 

• TCAS data 

• GPS Ant Offset 

+ more.... 

Future 

•IM 

• SURF-1 A 


■ ADS-B is being used over 2 existing technologies: 

■ Mode-S - 1090 MHz (replies) and 1030 MHz (interrogation) 

■ UAT (Universal Access Transceiver) - 978 MHz (replies) 
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Australia Airservices ADS-B Coverage Map 


ADS-B Deployment Map - Australia 


www. airser vicesaustr alia. co m /pr ojec ts/ads-b/ads-b-co 1 verage/ 


Enter your search teim:i 


Services Environment Aircraft noise Online store Contact us 


About us Careers Flight briefing Publications Media 


Automatic Dependent Surveillance 
Broadcast 

How ADS-B works 

Tracking ADS-B in our air traffic 
management system 

Upper Airspace Prog ram 

ADS-B mandate 2013 

Mandate to deactivate some ADS-B 
transmissions 



Operational Information 

ADS-B services 

ADS-B coverage 

Working groups and panels 

Australian Mod e-S Terminal Area 
Radar Replacement project 

Collaborative decision making 

Fire control centre upgrade 

Ground Based Augmentation System 

National towers program 

Remote Tower Technology 


ADS-B End State Coverage at 5,000 feet 


ADS-B End State Coverage at 10,000 feet 



ADS-B End State Coverage at 20,000 feet ADS-B End State Coverage at 30,000 feet 
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FAA NextGen Technologies Interactive Map (ADS-B) 


ADS-B Deployment Map - USA 

www.faa.gov/nextgen/flashmap/ 

FAA Home » NextGen » NextGen Technologies Interactive Map 

NextGen Technologies Interactive Map 

Print Email 


r 


NextGen Technologies in the NAS 


% 


Automatic Dependent Surveillance-Broadcast 

Automatic Dependent Surveillance-Broadcast (ADS-B) is a key NextGen transformational program. Using the global satellite network, ADS-B will 
provide improved safety, capacity and efficiency in the National Airspace System. With ADS-B, air traffic controllers and pilots will see the precise 
location of every equipped aircraft. Pilots will also have real-time access to weather and flight information. Infrastructure is planned to be 
completed by early 2014. 




Radio Stations 


Advisory 

Separation 

Services: 

Services: 



Page Last Modified: 08/09/10 11:06 ET 
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How does ADS-B look like? - Community view 

4- C Q w*w ftghtrddar?4 «#n 


©flightradar24 


O MGF&CE COV*R*GE f •eOlfT PO*!«M 
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Summarized list of enthusiast-level ADS-B radar receivers 


How does community get this data? 


AirNav RadarBox 


Mode-S Beast with miniASDB 



PlaneGadgets ADS-B 





miniADSB 




Funkwerk RTH60 



Kinetic SBS 



microADSB USB 



microADSB-IP BULLION 

J — * 

: 

\t?k’ 

_ I* — 
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ADS-B frame - modulation 



■ Frames encoded in 

■ Pulse-position-modulation (PPM) 

■ 1 bit = 1 us 

■ Shared-medium (no CA/CD), theoretical bandwidth 1 Mbit/sec 
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ADS-B frame 


format 



■ Frames composed of 

■ A preamble 

■ 8 bits for TX/RX sync 

■ A data-block 

■ 56 bits for short frames 

■ 112 bits for extended/long frames 

■ Mandatory to have 

■ 24 bits ICAO address of aircraft 

■ 24 bits error-detection parity 
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Agenda 


Intro to ATC 

2. ATC Problems Today 
What is ADS-B? 



ATC Problems Tomorrow - ADS-B Threats 


How can ADS-B be exploited? 
Solutions and take-aways 
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ADS-B Main Threats - Summary 

ADS-B Threat Fail / warn / ok 


Entity/message authentication 

0 

1 

Entity authorization (eg. medium access) 

A 

▲ 

1 

■ & 

Entity temporary identifiers/privacy 



Message integrity (HMAC) 


1 

Message freshness (non-replay) 


1 

Encryption (message secrecy) 

0 

1 


ADS-B is almost like “ALL R/W with ‘Guest as Admin’ enabled” 
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Potential mitigations exist... but are not public 


■ Mode-4/Mode-5 IFF Crypto Applique 

■ 2-Levels Crypto secured version of Mode S and ADS-B GPS position 

■ Defined for military NATO STANAG 4193 

■ Enhanced encryption 

■ Spread Spectrum Modulation 

■ Time of Day Authentication 

■ Level 1: 

■ Aircraft Unique PIN 

■ Level2: 

■ Levell + other (unknown for now) information 

■ Apparently based on Black & Red keys crypto 

■ ADS-B also specifies, but not details available about crypto/security: 

■ DF19 = Military Extended Squitter 

■ DF22 = Military Use Only 
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Solutions and take-aways 
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ADS-B - Adversary Model - By role 


■ Pilots 

■ Bad intent 

■ (Un)lntentional pranksters 

■ Pranksters 

■ Abusive users/organizations 

■ Privacy breachers - eg. Paparazzi 

■ Message conveyors 

■ Criminals 

■ Money (more likely). Eg.: Underground forums with “Worldwide SDRs 
for hire” - potentially very profitable underground biz (think sniff GSM) 

■ Terror (less likely) 

■ Military/intelligence 

■ Espionage 

■ Sabotage 

30 EURECOM 



Example: internal prankster attack 




1 

MATTSUXX 

A20 

I N229! 

zest Airline 

)7/ll 17:57:04 

2 

BUTTSEXX 

A2F 

N290S’ 

est Airlines 

7/1101:27:28 

3 

MATSUUXX 

A2F 

K N292 

.vest Airlirn 

07/1103:29:55 

4 

MATTSUXX 

A31 

: N297! 

ed Express 

J7/1116:39:11 

5 

HIDAD 

A31 

IIOAD 



6 

BALLS LAM 

A21 

- N23! 

west Airtin 

06/06 18:21:05 

7 

BUTTPUMD 

A2F 

> - N29 

'west Airlir 

/06/06 07:17:47 

3 

YOU5UCK 

A33 

- N308: 

vest Airline 

0609:22:03 

9 

BUTTSEXX 

A2F 

.20 203 

>:19 BUTTSE 


10 

ABBAROCK 

A22 

.20 203 

3:09 ABBAR 


11 

M020BAMA 

N3S 

4A 



12 

FAYISGAY 

N8C 




13 

WOLYSAID 

N4S 




14 

ATCFAIL 

N71 




15 

BIGBOOBS 

N72 

• 



16 

GETAJOB 

N82 




17 

NOFATCHK 

US/ 

3 NOF 



18 

VOTEUNUN 

VO' 

B8-N. 



19 

VOTENOO 

VO' 

can Ea 

it probably 

1 

20 

PHATCHIX 

PH/ 

3-N29 



21 

DUMBPILT 

DUf 

OJO-/ 

ISW 


22 

JETSBLOW 

JET! 

9/N2* 



23 

JOHNRULZ 

JOh 

Y(A30: 



24 

KELYSMLS 

KEL 

' (A305 

niles, or Ke 

You be the jud{ 

25 

SOFAKING 

SOF 

B - N25 



26 

FATIGUE 

FAT 

ntal E> 



27 

LADYGAGA 

LAC 

32 /N2 

on Aug 7 & 


28 

SEXY1215 

C-FI 




29 

YOUWIN 

N22 

-send 

YOUWIN" 8 

r 

30 

BULLSHIT 

N5C 




31 

GOINHOM 

N1S 




32 

THEMOLE 

N7S 
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Example: external criminals potential attack 


■ Similar to “internal prankster” 

■ Should not be overlooked though 


■ Any of the fields can be used to encode attacker’s data 

■ For communication similar to C&C (Holywood-style “avionics botnet”) 

■ For exchanging intelligence data 

■ Attacker’s data can be: obfuscated, encoded, encrypted 

■ Data could mimic real/sniffed ADS-B messages having minor 
intentional errors/discrepancies which would encode attacker’s data 


■ Example: See the demo 
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Example: external abusers + public data correlation 



Can publicly access private cetails (why is this allowed?!) 


Y 


en, Wikipedia, org/wiki/Aircraf t_registration 



• Searchable worldwide registration database d? 

• Aruba Aircraft Register^ 

• Australian Aircraft Register^ 

• Austrian Aircraft Register^ 

• Belgian Aircraft Register^ 

• Brazilian Aircraft Register^ 

• British Aircraft Register^ 

• Canadian Aircraft Register^ 

• Danish Aircraft Register^ 

• Dutch Aircraft Register d? 

• Dutch Historic Aircraft Registers d? 

• Finnish Aircraft Register 

• French Aircraft Register^ 

• Guatemalan Aircraft Registerd? 

• Indian Aircraft Register^ 


• International Registry of Mobile Assets 3, pursuant to the Cape Town Treaty 

• Irish Aircraft Register^ 

• Latvian Aircraft Register dP 

• Lebanese Aircraft Register^ 

• Luxembourg Aircraft Registerd? 

• New Zealand Aircraft Registerd? 

• Norwegian Aircraft Registerd? 

• Singapore Aircraft Registerd? 

• South African Aircraft Registerd? 

• Swedish Aircraft Registerd? 

• Swiss Aircraft Registry d? 

• United States Aircraft Registry d? 

• Article 20 of the Convention on International Civil Aviation lJ) 

• Annex 7 to the Convention on International Civil Aviation 

• Supplement to Annex 7 of the Convention on International Civil Aviation 
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Public access, seriously? USA (FAA) 



Aircraft Inquiries 

Serial NienPef 
Name 

FAahe i Model 
Friiynn Ref a once 
Dealer 

Doci*hem Index 
Si dll* and County 
f c»r r rtnry atwl Country 
PentAng, Cxpitetf 
Canceled Registration 
Huftorls 

Recent Reurvtidtion 
N mxntin* Avallabdry 
♦ Request A Reserved 
H Nientonr 

-Onkne 
- In Writing 

• Reserved N Number 
Renewal 

•Orrtrte 

• Request for Air cr art 
Records 

-Online 

hmp 

Mam Menu 
AirtiMI Registration 
AirrraA Downloadable 
Database 
Definitions 
N-Number formal 
Retpslraborw at Risk 
Contact Aircraft 
Regrslrabon 


• Lt»' wl Hrttm*' • #» • m* • dt f • >tv* rutt »^#r» • fcNuntw Pqury 


Warning 


NOTICE 

The FAA Registry will be performing maintenance on its web servers beginning Saturday. July 21st. 

This website will be unavailable horn 06 00 AM CDT Saturday morning through 11 30 PM COT Sunday nighl 
We apologize for the inconvenience 


FAA REGISTRY 

N Number Inquiry Results 
N1 is Assigned 

Data Updated each Fede^ai Working Day al Midnight 

D jvriiivjii; Bfau*4flnJ&ai3iteMft.ra M3i 

An raft Certifu ate Expiration Dade has been added to the Master Download file 



Aitcr ell D 

Biniptldii 


Send! Number 

1071 

TypeReqiVliaiiun 

Government 

Manufacturer Name 

OULf STREAM AEROSPACE 

Certificate issue Date 

0211411990 

Model 

o-rv 

Cxpe abort Date 

1201/2013 

Type AX a afl 

filed wing Mum-Enolrm 

Status 

valid 

Pending Number Change 

None 

Type Etqpne 

Turbo-fan 

Date Chanue Authorized 

None 

Dealer 

No 

MFRYear 

1908 

Modes Code 

50000001 



Fractional Owner 

NO 



Reqhdenul Ownut 



Name 

FEDERAL AVMTION ADMINISTRATION 

Streirl 

NATL FLIGHT PROGRAM OVERSIGHT OFC 


605 SW 60TH ST RM 137N 


OKLACITY 

Stale 

OKLAHOMA 

County 

OKLAHOMA 

Zip Code 

73189 1225 

Country 

unitedstateb 


Airworthiness 


Engine Manidaclurer 

ROLLS-ROYC 

Classical ion 

Standard 

Engine Model 

TAY MK 610*0 

Category 

Transport 


A W Date 

09ft79M9B8 
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Public access, seriously? Australia (CASA) 
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Public access, seriously? CAA (UK) 


feedback text-only print 


Civil Aviation Authority 


GINFO Database Search 



Search for an aircraft's details by entering your search criteria into any number of the fields displayed below. i- 

Data Extracted: 21 !G7t2G J \ 2 at 19:30 fSearch P 

Registration (without "G-" prefix): [ 

Serial Number: 

Aircraft Type or Name: 

Registered Owner: 

ICAO 24 bit aircraft address 

(hex): 

1“ View De-Registered Aircraft 

I 1 

International Register of Civil Aircraft 

i 

.The International Register of Civil Aircraft is published, in co-operation with ICAO, jointly by Bureau Veritas (France), 

I the UK Civil Aviation Authority and the ENAC of Italy. The database, which contains information from over 45 
countries and over 400,000 aircraft, is available on CD-ROM and is updated on a quarterly basis. This CD-ROM now 
also contains the US Register of Civil Aircraft. To orderthe International Register on CD-ROM please see forms 
and fees. 


Photographs 

International Register of 
Civil Aircraft 



Operations and 
Safety 


Aircraft 

Aircraft Register 


What's New 

FAQs 

Web Links 

EMail Contact 

Registration Information 

Mortgage Information 
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ADS-B - Adversary Model - By location 


■ Ground-based 

■ Easier to operate (win criminals) 

■ Easier to be caught (win agencies) 

■ Easier to defend or mitigate against (win agencies) 

■ Eg. Angle of arrival, time-difference of arrival 


■ Airborne 

■ Drones 

■ UAV 

■ Autonomously pre-programmed self-operating checked-in luggage: 

■ Pelican case, barometric altimeter, battery, embed-devs, GPS, RF... 

■ Possibly could work around angle of arrival 

■ Could pose more advanced threat to ADS-B IN enabled aircrafts 

■ Important: not extensively modeled in the attacker & threat modeling of 
Mode-S/ADS-B 



37 



EURECOM 


Scenario showcase #1 


82-000 747-2G4B VC-25A ADFDF8/AE2FF4 ?!?!?! 






Scenario showcase #1 

82-000 747-2G4B VC-25A ADFDF8/AE2FF4 ?!?!?! 











Scenario showcase #1 - Privacy 

82-000 747-2G4B VC-25A ADFDF8/AE2FF4 ?!?!?! 

■ Assumptions: 

■ ADS-B is ALL R/W = Clear-text and No privacy 

■ Open issues: 

■ If ADS-B data is true 

■ Why does “Air Force One” shows itself? 

■ Should this type of aircrafts broadcast their pos/ident? 

■ If yes, wouldn’t they become easy targets? 

■ If no, how would they benefit to/from ADS-B? 

■ If workaround with “fake” reg_nums/call_signs, isn’t this a kind 
of backdoor in CS terms? 

■ Perhaps they use mostly Mode-5 encrypted mode 

■ Then, why doesn’t everybody have access to Mode-5 in the 
first place? 
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Scenario showcase #1 - Impersonation 
82-000 747-2G4B VC-25A ADFDF8/AE2FF4 ?!?!?! 


■ Assumptions: 

■ ADS-B is ALL R/W = Non-auth (access and messages) 

■ Open issues: 

■ If ADS-B data is false 

■ Someone is already spoofing or not? 

■ How do you know for sure if yes or no? 

■ Also, anyone can say “I am Air Force One” 

■ Does “Air Force One” has special ATC treatment? 

■ If so, can this be an abused procedural “backdoor”? 


■ These open issues raise “uncertainties” 

■ Unless otherwise clarified 

■ Any “uncertainty” poses threat to safety of operation 
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Potential for DoS on ATC human-resource 


■ Attack: 

■ Based on “Fake airplane injection into ATC” attack 

■ Mitigation: there is a mostly manual procedure for an ATC operator to check 
a flight number against flight plans and flight strips {flight strips is so 1900, 
really!) 


■ Twistl: 

■ Inject 1 min fake airplanes, both valid and invalid flight plans, filed by 
different flight plan systems 

■ Result: Potential human-resource exhaustion 


■ Fixes: 

■ Have fully e-automated flight plan exchange and cross-checks 

■ Better, solve ADS-B insecurities and potential is nullified 
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Potential for DoS on ATC flight-space resource 

■ Attack: 

■ Similar to “DoS on ATC human-resource” 

■ Twistl: 

■ Fake planes scattered on wide geographic area of responsibility of “victim 
ATC” 

■ The area of ghost/fake/unidentified aircraft/object is in “flight quarantine” 

■ Separation are increased, all normal routes deviated 

■ General rules are in ICAO 4444 + country specifics 

■ This is done for safety reasons (eg. ASSET methodology) to avoid disasters 

■ A potentially wide geo-area affected in terms of air-traffic - nightmare! 

■ Twist2: 

■ Fake a copy of a genuine aircraft within it’s own area of separation 

■ Will generate a Short Term Conflict Alert (STCA) 

■ Fixes: 

■ Locate and turn-off attacker RF emitter (but what if it’s a drone?) 

■ Better, solve ADS-B insecurities and potential is nullified 
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Potential for DoS on ADS-B IN aircrafts 


■ Attack: 

■ Based on “Fake airplane injection into ATC” attack 

■ Mitigation: unknown, perhaps similar to ATC semi-auto/semi-manual flight 
plan cross-check 


■ Twistl: Inject fake airplanes (1...1 min) into ADS-B IN capable aircrafts 

■ Assumption: Target aircraft lacks good connectivity and automated cross¬ 
check protocols for flight plan lookup and validation (compared to ATC) 

■ Result: Total uncertainty in received data, i.e. data is useless... 


■ Fixes: 

■ Have real-time critical data exchange and verification capability on eAircrafts 

■ Have fully e-automated flight plan exchange and cross-checks 

■ Better, solve ADS-B insecurities and potential is nullified 
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Hardware setup 


Hardware 


SDR USRP1 



SBX 


WBX 


DBSRX2 



Plane 

Gadget 

Attenuators 



Functions 


Main RF support 


ADS-B OUT/IN (attack) 


ADS-B OUT/IN (attack) 


ADS-B IN (verify) 


ADS-B IN (verify) 


Limit output (SMA cable) 


Price 


700 USD 


475 USD 


450 USD 


150 USD 


245 USD 


<10 USD 



Alternative SDRs Alternative ADS-Bs 
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ADS-B Message Replay 
Quick reference 


■ Capture ADS-B data: 

■ UHD-mode 

■ uhd_rx_cfile.py -spec B:0 -gain 25 -samp-rate 4000000 -f 
1090000000 -v ~/CAPTURE_adsb. fc32 

■ Pre-UHD-mode 

■ usrp_rx_cfile.py 

■ Replay the captured data: 

■ UHD-mode 

■ tx_transmit_samples -file ~/CAPTURE_adsb.fc32 -ant 
"TX/RX" -rate 4000000 -freq 1090000000 -type float - 
subdev B:0 

■ Pre-UHD-mode 

■ usrp_replay_file.py 
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ADS-B Message Injection 
Quick reference 


■ ADS-B data crafting 

■ Tweak the captured data 

■ Load l/Q data: d_cap = read_float_binary(‘~/CAPTURED_adsb.fc32’) 

■ Modify the samples: d_cft = adsb_randomize(d_cap) 

■ Write back l/Q data: write_float_binary(d_cft, ‘~/CRAFTED_adsb.fc32’) 

■ Generate the data 

■ MatLab - modulate(adsb_frame, fc, fs, ‘ppm’) 

■ GNUradio - write native C++ block 

■ Transmit the crafted data: 

■ UHD-mode 

■ tx_transmit_samples -file ~/CRAFTED_adsb.fc32 -ant "TX/RX" -rate 
4000000 -freq 1090000000 -type float -subdev B:0 

■ Pre-UHD-mode 

■ usrp_replay_file.py 
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ADS-B Message Analyze/Visualize/Plot 
Quick reference 


■ GNURadio ModeS tests: 

■ Pre-UHD-mode (by Eric Cottrell): 

■ gr-air/src/python/usrp_mode_sJogfile.py 

■ UHD-mode (by Nick Foster): 

■ gr-air-modes/python/uhd_modes.py -a-w-F ~/CRAFTED_adsb. fc32 

■ GNURadio: 

■ gr_plot_psd_c.py -R 4000000 -/CAPTURE adsb. fc32 

■ gr_plot_psd_c.py -R 4000000 ~/CRAFTED_adsb.fc32 

■ Octave + gnuplot: 

■ n_samp = 500000 

■ trigjvl = 0.01 

■ d_cap = read_float_binary(‘CAPTURE_adsb.fc32’, n_samp) 

■ axis ([0, n_samp, -trigjvl, trigjvl]) 

■ plot(arr) 
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Demo showtime 



'Northwest 


Sweden 



49 



EURECOM 






























Demo details 


■ Sniffed and replayed: 

■ [0x8d, 0x42, 0x40, 0x50, 0x58, Oxaf, 0x74, 0x92, 0x69, 0xb9, 0x78, 0x081 aOa] 


■ Crafted and injected: 

■ [0x8d, Oxde, Oxad, Oxbf, 0x58, Oxaf, 0x74, 0x92, 0x69, 0xb9, 0x78, 0xa95724] 

■ [0x8d, Oxca, Oxfe, Oxbb, 0x58, Oxaf, 0x74, 0x92, 0x69, 0xb9, 0x78, 0x3949e0] 

■ [0x8d, OxbO, 0x00, 0xb5, 0x58, Oxaf, 0x74, 0x92, 0x69, 0xb9, 0x78, 0x2cec6b] 

■ [0x8d, 0x31,0x33, 0x70, 0x58, Oxaf, 0x74, 0x92, 0x69, 0xb9, 0x78, 0x7117c7] 


■ Parity needs to be tweaked 

■ For ADS-B over Mode-S 

■ adsb_modes_crc.py 

■ For ADS-B over UAT 

■ adsb_uat_crc.py 
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Agenda 


Intro to ATC 

2. ATC Problems Today 

3. WhatisADS-B? 

4. ATC Problems Tomorrow - ADS-B Threats 
How can ADS-B be exploited? 

Solutions and take-aways 
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Solutions 


■ Solutions could include: 

■ Verifiable multilateration (MLAT) with multiple ground-stations, but: 

Guidance Material on Surveillance Technology Comparison 
7.11 VERIFICATION OF ADS-B 

Some commentators have promoted the use of multilateration as a means of ensuring the validity of 
received ADS-B data. Technically this is possible. Radar could also be used to verify the integrity of 
ADS-B data. H^radajNand/oMiiulijlatcration^ui^^ 

advantages of ADS-B are significantly diminished and the ADS-B deployment becomes unlikely. 

Verification could perhaps be achieved at major airport hubs aimed at detecting non compliant 

Edition LO September 2007 Page 41 

■ “Group of aircrafts” concepts 

■ AANETs should inspire from VANETs solutions 

■ Lightweight PKI architectures and protocols. Our thoughts: 

■ FAA, EUROCONTROL, CASA as CAs 

■ CAs root keys installed/updated during ADS-B device 
mandatory certification process 

■ HMAC on each broadcast message 

■ Every broadcast a subset of HMAC bits 
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Take-aways 


■ ADS-B is a safety-related mission-critical technology 

■ Yet, ADS-B lacks minimal security mechanisms 

■ This poses direct threat to safety 

■ ADS-B costs tremendous amount of money, coordination, time 

■ Yet, ADS-B is defeated in practice with 

■ FOSS or moderate-effort custom software 

■ Relatively low-cost SDRs hardware 

■ ADS-B assumptions are not technologically up-to-date 

■ Doesn’t account users will have easy access to RF via SDRs 

■ Doesn’t account users will have easy access to UAV, drones, etc. 

■ SDRs and their decreasing price are not the problem 

ADS-B is flawed and is the actual root-cause problem 
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Thank you! 

Questions, ideas, corrections? 
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